The problem with most Linux cheatsheets
Most Linux command lists are either 10 commands that everyone already knows, or 200 commands with no context. This one sits in between. These are the commands I actually use day-to-day on Kali — for CTFs, pentesting, script debugging, and general system work. I've skipped the obvious ones (cd, mkdir, echo) and focused on the ones that took me a while to properly learn, with real examples of how I use them.
Navigation and file inspection
ls -la
The -l flag gives long format (permissions, owner, size, date). The -a shows hidden files (dotfiles). You need both. Always check for hidden files in CTF challenge directories — .htpasswd, .env, .git folders sitting there in plain sight.
ls -la /var/www/html/
ls -la ~/.ssh/find
The most underrated command in Linux. Find files by name, type, permissions, owner, modification time — or any combination.
# Files modified in the last 24 hours
find /var/log -mtime -1 -type f
# SUID files — essential in privilege escalation
find / -perm -4000 2>/dev/null
# Find world-writable directories
find / -writable -type d 2>/dev/null
# Files owned by a specific user
find / -user www-data -type f 2>/dev/nullThe 2>/dev/null redirects permission errors to silence so you only see results you can actually read.
less and tail
For log files: less lets you page through a large file without loading it all into memory. tail -f follows a log file in real time — essential when watching application output or monitoring a running process.
less /var/log/auth.log
tail -f /var/log/nginx/access.log
tail -n 100 /var/log/syslog # last 100 linesText processing — the power trio
grep
Search for patterns in files or piped input. I use it constantly.
# Recursive search with line numbers
grep -rn "password" /var/www/ --include="*.php"
# Case-insensitive
grep -i "error" /var/log/app.log
# Invert match — show lines that DON'T match
grep -v "DEBUG" app.log
# Count matches
grep -c "Failed" /var/log/auth.log
# Show context around a match
grep -B2 -A2 "Exception" app.logawk
awk processes text field by field. Default delimiter is whitespace. Once you get used to it, you reach for it constantly for log parsing.
# Print the 4th field (IP from auth.log)
awk '{print $4}' /var/log/auth.log
# Print lines where field 7 is "POST"
awk '$7 == "POST" {print $0}' access.log
# Sum file sizes from ls -l output
ls -l | awk '{sum += $5} END {print sum}'sed
sed edits text streams. The most common use: find and replace.
# Replace all occurrences in a file (in-place)
sed -i 's/localhost/192.168.1.1/g' config.txt
# Delete lines matching a pattern
sed '/^#/d' config.txt # remove comments
# Print only lines 10-20
sed -n '10,20p' file.txtProcess management
ps and grep combo
ps aux shows all running processes with user, PID, CPU%, memory%, and command. The real power is piping to grep.
ps aux | grep python
ps aux | grep -v root # processes not running as root
# Find what's listening on a port
ps aux | grep $(lsof -ti :8080)kill and pkill
kill -9 1234 # force kill by PID
pkill -f "python app.py" # kill by process name pattern
killall nginx # kill all processes with this namejobs, bg, fg
When you start a long process and want to keep using the terminal: Ctrl+Z suspends it, bg resumes it in the background, fg brings it back to foreground. Append & to run a command directly in the background.
nmap -sV 10.10.10.1 &
jobs
fg %1Permissions
chmod
chmod uses octal notation or symbolic notation. Octal is faster once you know it: 4=read, 2=write, 1=execute. Owner/Group/Others.
chmod 755 script.sh # rwxr-xr-x
chmod 600 id_rsa # rw------- (SSH key needs this)
chmod +x script.sh # add execute for everyone
chmod u+s binary # set SUID bitsudo !!
The most useful trick: !! is shell shorthand for the last command. So sudo !! re-runs your last command as root. Saves constant retyping.
Networking commands
ss (replaces netstat)
ss is the modern replacement for netstat. The flags I use constantly:
ss -tulnp
# -t TCP -u UDP -l listening -n numeric -p show processOn a target machine during a pentest, this tells you what services are running and what ports they're on — including internal services not exposed to the network.
curl
curl is an HTTP client for the terminal. I use it for API testing, checking headers, and quickly testing endpoints.
# Check response headers
curl -I https://example.com
# POST JSON
curl -X POST -H "Content-Type: application/json" \
-d '{"username":"admin","password":"test"}' \
http://target/api/login
# Follow redirects, show verbose output
curl -Lv http://target/
# Download a file
curl -o file.zip http://target/downloadnc — netcat
Netcat is the Swiss army knife of networking. Connect to ports, set up listeners, transfer files.
# Test if a port is open
nc -zv 10.10.10.1 80
# Listen for a connection (reverse shell catcher)
nc -lvnp 4444
# Send a file
nc -w3 target 4444 < file.txtPipes and redirects — the glue
Pipes (|) pass output from one command as input to the next. Redirects (>, >>) send output to files. Combining these is where Linux becomes genuinely powerful.
# Count unique IPs hitting your server
cat access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20
# Find the 10 largest files
du -sh /* 2>/dev/null | sort -rh | head -10
# Search auth log for failed SSH attempts and count by IP
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rnA few that are specifically useful for security work
# Check for SUID binaries (privesc enumeration)
find / -perm -u=s -type f 2>/dev/null
# Check cron jobs
crontab -l
cat /etc/crontab
ls /etc/cron.*
# Check what files a user has access to
find / -user www-data 2>/dev/null
# Look for passwords in config files
grep -rn "password\|passwd\|secret\|key" /etc/ 2>/dev/null | grep -v "#"
# Check running services
systemctl list-units --type=service --state=runningLearn them by using them
The best way to learn these is not to read a list but to use them on real tasks. Run through a TryHackMe or HackTheBox machine and deliberately use the command-line tools instead of GUI alternatives. Check logs after running something. Parse output with grep and awk instead of scrolling. After a few weeks of daily use, these become muscle memory. That's the point — when you're in the middle of a pentest or debugging a crashed service at 2am, you want these to be automatic.